The HHS Office of Civil Rights published a new FAQ response (OCR FAQ) detailing the agency’s position that generally information blocking will violate the HIPAA Privacy and Security Rules if it affects a covered entity’s access to its own protected health information (PHI) or its ability to respond to requests for access to PHI from patients. This follows a series of similar policy documents from HHS over the past 18 months that focus on preventing business arrangements or practices that would be defined as information blocking, and thereby, frustrating the goal of interoperability. Specifically, according to the OCR FAQ:

  • An electronic health records (EHR) vendor or cloud provider’s actions to terminate a covered entity’s access to its own electronic PHI (ePHI) (e.g., in a payment dispute) would violate the HIPAA Privacy Rule because those actions would constitute an impermissible use of PHI.
  • An EHR vendor or cloud provider’s refusal to ensure the accessibility and usability of a covered entity’s ePHI upon demand by the covered entity or to return a covered entity’s ePHI upon termination of the agreement, in the form and format that is reasonable in light of the agreement, would violate the HIPAA Security Rule.
  • A business associate may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if necessary to provide individuals with access to their PHI under the HIPAA Privacy Rule.
  • A covered entity that agrees to terms within a business associate agreement (BAA) that would prevent the covered entity from ensuring the availability of its own PHI as required would not be in compliance with the HIPAA Privacy and Security Rules.

OCR has increasingly ramped up its enforcement of violations of the HIPAA Privacy and Security Rules related to noncompliant BAAs, so the new OCR FAQ signals that information blocking provisions could be the source of future enforcement actions.

Our colleagues have written about other HHS guidance on preventing information blocking and potential enforcement risks in prior blog posts and alerts, including:

Together, these HHS statements emphasize that business arrangements regarding health information technology and exchange of health information may not block the appropriate flow of health information and that doing so result in multiple enforcement risks for all parties involved.

HHS has signaled its focus on scrutinizing potential barriers to the appropriate access and exchange of PHI among providers. As a result, parties to arrangements involving the provision of EHRs or the exchange of PHI must examine their contracts and BAAs to ensure that they comply with HIPAA and other laws such as those governing fraud and abuse.

Print:
EmailTweetLikeLinkedIn
Photo of Jodi G. Daniel Jodi G. Daniel

Jodi Daniel is a partner in Crowell & Moring’s Washington, D.C. office and a member of the firm’s Health Care Group, where she provides strategic advice to clients navigating the legal and regulatory environments related to technology in the health care sector. Jodi is the former director of the Office of Policy in the Office of the National Coordinator for Health Information Technology (ONC), U.S. Department of Health and Human Services (HHS). She served for a decade as the director at the ONC and 15 years at HHS, where she helped spearhead important changes in health information privacy and health information technology to improve health care for consumers nationwide.

For more than a decade, Jodi has been responsible for thought leadership, policy development, and identifying policy drivers for health IT activities within the federal government, and ultimately established the HHS’ national health IT policy. As former director at the ONC, she addressed privacy and security issues to ensure that there was clear guidance on how the initial Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules applied to health IT. Jodi set the strategic direction and set policy on consumer e-health and health IT safety. She is also credited with establishing the ONC’s regulatory capacity and led the development of all ONC regulations on health IT standards and certification.

As the first senior counsel for health information technology in the Office of the General Counsel (OGC) of HHS, Jodi developed HHS’s foundational legal strategies and coordinated all legal advice regarding health IT for HHS. She founded and chaired the health information technology practice group within OGC and worked closely with the Centers for Medicare and Medicaid Services in the development of the e-prescribing standards regulations and the Stark and anti-kickback rules regarding e-prescribing and electronic health records.

Photo of Stephanie Willis Stephanie Willis

Stephanie Willis is a counsel in Crowell & Moring’s Washington, D.C. office and a member of the firm’s Health Care Group. Stephanie primarily works with health care clients seeking to comply with state and federal health care anti-fraud and abuse laws, privacy and security laws, and licensing laws.

Stephanie’s work incorporates her Master of Public Health degree as well as her past experiences as an associate counsel in the Office of the Inspector General for the Department of Health and Human Services (HHS-OIG) and as an intern at the Massachusetts Division of Insurance, the Health Care Division of the Massachusetts Attorney General’s Office, and the Massachusetts Health Care Connector, which was the first health care exchange in the nation.